Data extortion through cyber means is an insidious threat that thousands of companies throughout the world experience firsthand. For many bad actors, it is the attack of choice owing to its ease of execution, low risk of detection, and huge financial upside. According to Coveware Inc., the average ransom payment ($111,605) has increased by 33% from Q4 2019 to Q1 2020. Companies big and small have suffered from ransomware attacks leaving them with an unimaginable business interruption. Ransomware attacks have become so popular amongst cyberattackers that it has become its industry with shrink-wrapped and Ransomware-as-a-Service (RaaS) options made widely available for sale on the dark web. The methods used by ransomware operators to extort money continue to evolve. Some operators use name and shame sites, others simply encrypt the victim’s data holding it hostage till payment is made.
By Tari Schreider, C|CISO, CRISC, MCRP, ITILF, Senior Analyst at Aite Group
This article lists the most frequently asked questions I get from those attending my EC-Council C|CISO Masterclasses or my Ransomware Simulation Exercises.
1. Is it Illegal to Pay a Ransom Under U.S. Law?
The answer can be both yes and no, depending on the situation. For the most part, U.S. law favors those who pay a ransom. The U.S. does not generally prohibit or punish those paying a ransom for the return of property or people unless it is paid to a country, organization, or person on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) Sanctions List.
The same is not true, however, for the ransomware operators. According to 18 U.S. Code § 1202. Ransom money, the following holds:
- Whoever receives, possesses, or disposes of any money or other property, or any portion thereof, which has at any time been delivered as ransom or reward in connection with a violation of section 1201 of this title, knowing the same to be money or property, which has been at any time delivered as such ransom or reward, shall be fined under this title or imprisoned not more than ten years, or both.
- A person who transports, transmits, or transfers in interstate or foreign commerce any proceeds of a kidnapping punishable under State law by imprisonment for more than 1 year, or receives, possesses, conceals, or disposes of any such proceeds after they have crossed a State or the United States boundary, knowing the proceeds to have been unlawfully obtained, shall be imprisoned not more than 10 years, fined under this title, or both.
For those of you that clicked the link “section 1201 of this title,” you have undoubtedly noticed that this law applies to persons, and you would be correct. However, I call your attention to the legal definition of a person. A corporation is a “person” for the purposes of the constitutional guarantees of equal protection under the law.
The U.S. government has prohibited any financial transactions, which include ransom payments to certain governments, organizations, and individuals that are on the U.S. Sanctions Lists. The countries on the sanctions list include the usual suspect havens of ransomware operators, including Iran, North Korea, and Syria. OFAC has also placed sanctions on certain individuals, for example, two Russian citizens responsible for the development and use of the Cryptolocker ransomware, which infected over 120,000 U.S. victims on the list.
The Trading with the Enemy Act of 1917 is an interesting law to consider, especially when you consider the passage: “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity.” Technically, paying a ransom could be conceived as providing material support. This act, in conjunction with a country or individual on the OFAC sanctions list, could cause significant issues for anyone paying a ransom. The ambiguity of these laws is one reason companies opt to pay ransoms through a third party.
2. Do I Need to be Concerned About any State Ransomware Laws?
Not really! They focus mainly on establishing ransomware as a crime on a property that would apply to ransomware operators. States are always looking for ways to protect their citizens from cyberattacks. Aside from general cybercrime legislation, many states enact specific laws to address emerging cyberthreats they feel have not covered under their current laws. The emergence of ransomware laws is just one example of this. The pervasive nature and widespread destruction exacted on companies made it only a matter of time that laws would be passed to thwart ransomware operators.
On September 27, 2017, California amended Section 523 of their Penal Code with Senate Bill No. 1137. The law specifically names computer crime extortion as a punishable offense. The California law defines ransomware as a “computer contaminant or locks placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized person to the computer, computer system, computer network, or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant…” Other states with enacted ransomware laws include Connecticut, Michigan, Texas, and Wyoming. Some states, such as New York, are even attempting to enact laws that would make it a crime to use taxpayer money to pay ransom demands. New York Senate Bill S7246 is currently in committee.
3. Has the U.S. Government Passed Anti-Ransomware Laws?
Only marginally. The U.S. Federal government has been slow to act when it comes to passing legislation criminalizing ransomware attacks, their operators’ actions, and the ultimate impact on organizations (victims). I believe this is mostly due to legislators who believe current laws already conclude ransomware as a crime covered under existing statutes. However, a law passed by the U.S. House, H.R. 5074 – DHS Cyber Hunt and Incident Response Teams Act of 2019, was inspired by the reported increasing number of ransomware attacks. Although the Act never mentions the word ransomware, it does authorize the Department of Homeland Security to maintain cyber hunt and incident response teams. The intended purpose is centered around leading a Federal asset protection response to assist Federal and non-Federal organizations alike in responding to cyberattacks. The presumption is that ransomware falls within the Act’s mandate.
4. Will I Violate the Foreign Corrupt Practices Act by Paying a Crypto Ransom?
No. The Foreign Corrupt Practices Act (FCPA) of 1977 is designed to prevent payments to foreign governments assisting in obtaining or retaining business or directing business to any person. A ransomware payment does not meet the threshold of a foreign government bribe. The U.S. Department of Justice and the U.S. Securities and Exchange Commission agree through their guidance on the FCPA that states that sanction extortion will not give rise to FCPA liability because a payment was made in response to true extortionate demands under imminent threat of physical harm.
5. Will a Ransomware Attack Trigger a Data Breach Notification?
In most cases, yes. Ransomware operators are no longer satisfied with just locking you out of your critical files; they want to entice you to pay the ransom by threatening to leak your information. Most data breach laws require that you must be certain no breach occurred, but how can anyone be (absolutely) certain? The answer is you cannot.
Let’s look at the Department of Health and Human Services (HHS)-provided guidance in Fact Sheet: Ransomware and HIPAA that states:
A breach under the HIPAA Rules is defined as, “… the acquisition, access, use, or disclosure of [protected health information] PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6.
The HIPAA Privacy Rule states
“When electronically protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
Unless the covered entity or business associate can demonstrate that there is a “… low probability that the PHI has been compromised,” based on the factors outlined in the Breach Notification Rule, a breach of PHI is presumed to have occurred.
6. Can I be Sued After a Ransomware Attack?
This answer is unquestionable, yes! Take the recent lawsuits where Blackbaud Inc. and Epiq Systems Inc. face class action lawsuits over ransomware attacks that affected many of their respective customers. The basis of these lawsuits is the accusation that both companies acted with negligent conduct and failed to protect customer data. Numerous law firms make a practice of filing class-action lawsuits related to cyberattacks.
You will need to ask yourself if your organization complies with a duty to provide reasonable security. When a direct or implied contractual relationship exists, your organization has to protect customer interests and their data.
7. Can my Company Legally Fire Me after a Ransomware Attack?
When a cyberattack occurs, companies seek to affix blame. Companies including Capital One, Equifax, Uber, Target, and others have all fired their senior IT management following a breach of security. With that said, the answer is a resounding yes. But can you file a lawsuit? The answer is yes if you feel it was a wrongful termination. Take the case of Lake City, Florida, which experienced a ransomware attack in 2019. The city realized that it was not prepared to fend off its ransomware attack and ended up paying 42 bitcoins worth $460,000 in ransom. Their IT Director, Brian Hawkins, was blamed for the attack, and his employment was terminated. Mr. Hawkins has filed a wrongful termination suit against the city, citing his pre-attack insistence that the city’s backup systems were inadequate to recover from a cyberattack. The city has been rebuffing his lawyer’s discovery motions stating it would cost thousands of dollars to provide the emails Mr. Hawkins states are evidence of his due diligence. We will have to wait to see how this plays out in the courts to see who is right. The lesson here is that you will need documentation to prove your recommendations went unheeded and if you find yourself fired over a cyberattack, hire a great lawyer and maintain documentation proving your actions.
8. Can I Sue an Insurance Company for Not Paying a Ransomware Claim?
Yes, you can, and many have. One of the most notable court cases over a denied cyber policy claim is the ongoing Mondelez International v. Zurich American Insurance Company lawsuit, where the insurance company denied a ransomware attack claim in the amount of $100 million stating it was an act of war policy exclusion. The fine print of a cyber or fraud insurance policy has prevented several companies from receiving payment on ransomware damage claims. Some reasons for non-payment include the insurance company determining the ransomware attack was an act of war or that no fraud occurred.
Let us look at one court case where the G&G Oil Company of Indiana found itself the victim of a ransomware attack. The company paid two ransom demands to receive a decryption key to unlock their critical files. Believing the attack was covered under their insurance policy, the company claimed to recover the cost of data recovery as well as the ransom payment. Their insurer, Continental Western Insurance, denied the claim stating that the event was not fraud but an act of theft. Also, G&G Oil’s policy excluded viruses and hacking attacks. Nonetheless, G&G Oil sued, and the court made a summary judgment in favor of the insurer. So, although you have the right to sue your insurance company, you need to be sure you understand your policy’s exclusions and, if required, purchase a true cyber insurance or data breach policy.
9. Are Ransom Payments Legally Deductible?
They can be if done under the auspice of a tax attorney. The caveat is that the expenses resulting from the ransomware attack must be properly accounted for according to U.S. tax law. One approach would be to claim the related expenses as an ordinary and necessary business expense under 26 U.S. Code 162(a) – Trade or Business Expenses. The nascent nature of ransomware makes the argument that an attack is now part of the cost of doing business on the Internet could very well stand up to Internal Revenue Service (IRS) scrutiny. The Supreme Court has ruled that for a payment to be “necessary,” it must be “appropriate and helpful” for “the development of the taxpayer’s business.” What could be more necessary than freeing your company from a crippling attack?
Another option is to claim the non-insurance reimbursed costs as a theft event as provided under 26 U.S. Code 165(a) – Losses. A little wrinkle in this is that the IRS states the attack must be illegal under the law of the state where it occurred. If you are in a state with a ransomware law, you are in luck. However, in most states, you can find some legislation to use to justify this ruling. The best advice here is to hire a great corporate tax attorney and deduct your ransomware-related costs.
10. If I Fall Victim to a Ransomware Attack, Am I Legally Required to Disclose?
Yes, depending on the regulations and laws, your organization is governed. A ransomware attack has a legally subtle but important difference compared to typical cybercrimes. With a classic data breach where data is exfiltrated (stolen), the violation of information is never in doubt. In ransomware attacks, data is made inaccessible – so has a theft occurred or privacy violated? If the data is released after payment, has any harm been done? One could argue that as no data was lost and no harm occurred, other than your bruised pride and loss of money – is it a disclosable crime? Disclosing or not disclosing a cyberattack introduces an ethical dilemma as well. It may be entirely legal not to disclose, but is it the right thing to do? Several years ago, most companies who chose to not disclose would likely not suffer any legal consequences. However, today ransomware operators steal data, threatening to disclose confidential information if the ransom is not paid. In this example, a data breach has occurred.
Public companies have no wiggle room for disclosing a breach. On October 13, 2011, the SEC issued a CF Disclosure Guidance relating to cybersecurity risks and cyber incidents. Hence, beginning in 2021, publicly traded companies must acknowledge any cyberattacks to their respective regulator. So, the best policy is to do the right thing, disclose the event.
None of what I covered in this article should be construed as providing legal advice, and I advise you to consult with your legal counsel to go through these questions. My goal is to make CISOs the smartest people in the room.
This article first appeared in the December 2020 issue of CISO MAG.
About the Author
Tari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He is currently a Senior Analyst with Aite Group covering cybersecurity technologies and practices for Aite Group, LLC. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.
Verification of legal quotations and references in this article has not been done by CISO MAG editors and is the responsibility of the author. Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.